PRIVACY CHIEF WANTS $1M FINES IN NEW ACT

Privacy Commissioner John Edwards has recommended to Government, as part of its plans to reform the Privacy Act, that heavy fines be levied against businesses for a serious breach of the Privacy Act. If adopted, for serious breaches the Privacy Commissioner would be able to ask the High Court for civil penalties of up to $1 million for public and private sector organisations —aligning New Zealand fines with those in Australia. The recommendation is one of several in the Privacy Commissioner’s latest report on the current operability of the Privacy Act, which was presented to Parliament in early February – coinciding with the Government’s stated intention of tabling a new Privacy Bill before the September election.

The actions of the Commissioner are due in part to his stated concerns that the wide-ranging Law Commission review of the Act — presented to Parliament in 2011 — is already out of date, and he says from a privacy perspective, a lot has changed in the last five years. “Important developments since 2011 that impact on the operation and adequacy of the privacy legislation include developments in data science and information technology, and new business models built on a data-driven enterprise.” Edwards says there are apparent gaps and weaknesses in the Privacy Act’s enforcement framework that need to be addressed if the reforms proposed are to introduce “an effective and modernised form of privacy regulation.”

In addition to the million dollar corporate fines, the Commissioner has requested:

fines of up to $100,000 for individuals for a serious breach of the Act

additional powers for the Commission to require businesses to demonstrate ongoing compliance with the Act — and to proactively identify and respond to systemic issues

a narrowing of the defences available to businesses that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner

introducing data portability as a consumer right

an update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised

While the Bill is expected to land before September, a Ministry of Justice spokesperson advised datafix that as the timetable was subject to the Parliamentary Counsel Office's other drafting priorities, timings could not be “set in stone.” Watch this space.